From: orderconfirmation@esab.co.ukAttached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:
Date: 15 August 2016 at 10:37
Subject: Order Confirmation-7069-2714739-20160815-292650
_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.
ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof.
marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77
6 comments:
Just received a similar email with Order Confirmation-1115-2110458-20160817-076465 in the subject line. DO NOT OPEN THE ATTACHMENT!
Me To
What can do that virus
Hi, so stupid that I downloaded and opened the file....
Already deleted it from my computer, any risk or any thing I should do now?
I just received that same email and decided to do a Google search and found this helpful blog. Luckily I didn't open the attachment because I know I didnt use esab.co.uk services and just was worried someone had access to my CC.
I just received this and will now delete Thanks
the locky downloader is just a variant. The random number generator tries all kinds of e-mail combinations, and then pumps out an attachment with the changing serial number.
It appears to originate from india on ip 1.187.114.143, but that is only the forwarder's node. The IP embedded in the headers , 117.223.50.136, and is the source of the e-mail.
According to The Composite Block list, 117.223.5.136, This IP is infected with, or is NATting for a machine infected with Win32/Dorkbot , and was last detected on 2016-08-20 08:00 GMT +/- a half hour.
If you are in .ca , the sinkhole of spam wnts to know how many are being sent. so forward your spams to 'spam@fightspam.gc.ca ', and yes , they do 'win' once in a while, http://news.gc.ca/web/article-en.do?nid=1023419
Post a Comment